Completely agree with your manifesto.Developers worry about functionality, performance, scalability, maintainability. Usability if you're lucky;) Security comes way down the list, and they're not really measured on it because functional testers dont understand security either!

One approach I take is to teach basic pen testing techniques to developers.I've found that the vast majority of them see pen testing as a 'black art' and when they find out how easy it can be to find basic security vulnerabilities in their products then they take security much more seriously.To this end I've released the OWASP Zed Attack Proxy (http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) and maintain the Pen Testing for Developers blog: http://pentest4devs.blogspot.com/